Introducing P2PE: Guide to Verifone Point-to-Point Encryption

In this guide, we explain what P2PE (Point-to-Point Encryption) is and help you determine if it's a suitable solution for your business.

At Verifone, we're proud to offer a P2PE solution that meets the rigorous security requirements set by the PCI SSC. In fact, of the two main processing networks in NZ, the Verifone network is the only one that is certified as meeting the strict requirements of P2PE. This formal endorsement provides our customers with the assurance that our solutions, gateways, and processes meet best-in-class security and encryption requirements.

It's important to note that implementing P2PE can be complex, and it requires strict adherence to the Payment Card Industry Security Standards Council's guidelines. That being said, businesses that implement P2PE benefit from increased protection against data breaches and can simplify their compliance efforts.

What is P2PE?

P2PE is a standard developed by the PCI Security Standards Council that protects cardholder data, card terminals, and physical point-of-sale setups from device tampering, data breaches, and external threats. It uses a direct link between the payment terminal and the processing network to encrypt data, and a third party encrypts all data the moment it is collected.

In comparison, End-to-End Encryption (E2EE) involves an indirect link between the payment card terminal and the processing network and is secured by a single entity. The encryption during the E2EE process can be done by any party, and the processing network is the only one that can decrypt the data.

The primary difference between the two is that P2PE uses a direct link to a network, while E2EE can be managed by an external party while ensuring that all data remains encrypted during transit. All Verifone EFTPOS payments are encrypted using end-to-end encryption (E2EE) by default. A business might choose to use P2PE if they have a particular interest in increased protection against data breaches. The amount of security required and how an individual or business allocates its resources ultimately determines the optimal solution.

What do I need to do to meet the requirements?

To meet PCI compliance for P2PE, businesses receive a P2PE Instruction Manual (PIM) from their solution provider, which must be carefully followed and properly implemented. The PIM provides guidance on securing payment terminals in-store, including regular inventory checks, the installation of security cameras to monitor terminals, monthly site inspections by staff to detect tampering, ensuring tamper-proof, sealed boxes for device delivery, and maintaining a fully documented record of these activities.

Would my business benefit from P2PE?

Bigger businesses with sufficient resources and a low tolerance for risk tend to favour a P2PE solution. This is because it provides an additional level of oversight for the handling of payment terminals. They may be willing to pay a premium per POS terminal for the increased security benefits. Additionally, they may allocate more time and personnel to maintaining the PIM.

In conclusion, when choosing an encryption solution, businesses should consider their unique needs and the level of protection required for their customers' sensitive data. With the right solution in place, businesses can reduce the complexity of PCI compliance, improve customer trust, and protect themselves from potential data breaches. Ultimately, the decision to adopt P2PE should consider the benefits and the time and resources required to follow the PIM.